Firewall Wizards mailing list archives
Re: Multiple firewalls from different manufactureres
From: Kevin <kkadow () gmail com>
Date: Wed, 26 Jan 2005 17:23:53 -0600
On Wed, 26 Jan 2005, Shimon Silberschlag wrote:
In the past, I used to hear the recommendation that an internet facing firewall setup should include at least 2 firewalls from different manufacturers.
Going beyond that, layering distinct types of firewall (filter, proxy, IPS, etc) running on different base operating systems (PIXOS, BSD, etc) further reduces the likelihood of an attacker possessing "0 day" exploits against the entire stack. On Wed, 26 Jan 2005 16:04:28 -0500 (EST), Paul D. Robertson <paul () compuwar net> wrote:
I still try to at least get a screening router up front that does have a different packet filtering implementation (so I don't generally use green firewalls.) To me, it's a matter of not designing easy to fail infrastructure.
At a minimum, a screening router in front of any firewall makes a lot of sense, and recently I've started to deploy screening routers on the inside to filter default route outbound traffic. It could be seen as designing an infrastructure that is easy to DoS, as any attack causing any one device in the series to fall will cause the whole path to stop passing traffic. The infrastructure might fail more easily, but it should always "fail closed".
With two devices, you have the chance to catch configuration failures, not just implementation failures. If possible, it's nice to have two different groups handling each piece in coordination, so that you have to have two people co-opted to start punching holes, especially admin-installed backdoors. With commodity pricing on firewalls, it's really a question of "what do you have to lose?"
Deploying multiple different types of security device in series adds cost, complexity, and failure modes. Managing the infrastructure requires more staff with more diverse skills, and the coordination required to "punch holes" will increase the effort and delay when changes are legitimately required. That said, I still think layering can be a good idea.
Today, when attacks are shifting towards using the already open ports on the firewall, at the application level, do you think that such a setup is still mandatory and/or recommended?
Yes.
Do you see such setups implemented? Or does most setups include a single FW with multiple DMZs, connected directly to the internal network?
I see a lot of setups where multiple firewalls from different manufacturers are deployed, in parallel. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)